1. Adviser: Frank, Yeong - Sung Lin Present by Jason Chang 1

2. Introduction Related Work Assumptions and Problem Definition System Reliability under Given Defense and Attack Strategies Algorithms to Determine Defense Strategy Against Rational Attacks Simulation Results Conclusion 2

3. Introduction Related Work Assumptions and Problem Definition System Reliability under Given Defense and Attack Strategies Algorithms to Determine Defense Strategy Against Rational Attacks Simulation Results Conclusion 3

4.  Reliability represents a system’s ability to work correctly and continuously.  Unfortunately, the reliability of individual components of a given system is rarely one.  To improve system reliability in the presence of possible component failures:  Redundancy  Voting schemes 4

5.  When the reliability of a single component(replica) is high, the more redundancies that are added to the system, the more reliable the system behaves.  However, when the system is under intentional cyber attacks, voting components may be compromised by the attacks.  In fact, when both the reliability of components and possibility of components being compromised are taken into consideration… 5

6.  Example 1 :  Assume a system consist of 9 replicas.  The reliability of each replica is 0.9  If only five out of the nine replicas are used in deciding the final result through a majority voting, the system reliability is where N v is the number of voting components and p is the component’s reliability. 6

7. 7

8. 8

9.  In order to reduce the probability of a system being compromised, we have to increase the difficulty for an attacker to launch successful attacks if such attacks cannot be fully prevented.  To enhance the cyber protection of existing system components.  To decrease the probability that an attacker would strike the system’s voting components. 9

10.  To decrease the probability that an attacker would strike the system’s voting components:  Information hiding technique.  Defender can dynamically select different sets of voting components.  In this paper, we assume attackers cannot distinguish the differences among components, hence adding camouflaging components, such as installing honeypots [7], decreases the probability of a voting component being attacked. 10

11.  Based on [8]–[11], it is known that between a defender and an attacker, the one who invests more resources on a component wins that component.We revisit Example 1.  Example 2 (Example 1 Revisited) :  Assume:  9 components  reliability = 0.9  attacker & defender resource = 18 units  Creating a camouflaging component = 2 units  the attack is random, but the attacker can make rational decisions in selecting the number of components to attack. 11

12.  Case 1 :  Assume the attacker chooses six components to attack and evenly distributes his/her resources on the selected components; while the defender allocates his/her resources to protect all nine components that all participate in the voting process.  the defender allocates 18/9 = 2 units of resources the attacker allocates 18/6 = 3 units of resources  all six components being attacked are compromised  The majority voting from the nine components results in 0 reliability. 12

13.  Case 2 :  Suppose the attacker’s strategy remains the same, but the defender changes his/her strategy to create 3 camouflaging components, and the remaining resources are allocated to protect three components that are chosen as voters.  the defender allocates (18-2*3)/3 = 4 units of resources the attacker allocates 18/6 = 3 units of resources  all three being attacked are survived  As these protected components are the only voting components, according to (1), the system reliability is 0.9720. 13

14.  Case 3 :  If the defender keeps the winning strategy, but the attacker changes his/her strategy to attack only 4 components, the system reliability reduces to 0.6598.  From this example, we can see that the best strategy for the defender depends on how the attacker allocates his/her resources; similarly, the best strategy for the attacker also depends on how the defender allocates his/her resources and how many components are chosen to vote. 14

15. Introduction Related Work Assumptions and Problem Definition System Reliability under Given Defense and Attack Strategies Algorithms to Determine Defense Strategy Against Rational Attacks Simulation Results Conclusion 15

16.  Bier et. al. showed that the optimal resource allocation for defender not only depends on the structure of the system and the cost-effectiveness of component protection investments, but also on the adversary’s goals and constraints.([12],[13])  Yalaoui et al. have considered redundant components in series systems and proposed a dynamic programming method to calculate the minimum cost required for a system to satisfy the minimum reliability requirement.([14]) 16

17.  Levitin and Hausken consider series and parallel systems, series systems of parallel subsystems, and parallel systems of series subsystems, and analyze system reliability when system have or do not have budget constraint.([15]-[18])  They further analyze how to allocate resource between deploying camouflaging components and enhancing component protection when only one component needs to be protected against attacks.([8]) 17

18.  They provide approaches of protection and redundancy to reduce the expected damages caused by attacks. The of each system element is determined by an attacker- defender contest success function, and the expected damage caused by the attack is evaluated as the system’s unsupplied demand.([10])  They proposed three approaches to minimize system damage when both the defender and attacker choose their strategies when the contest intensity changes.([9]) 18

19.  Dif ference I : The reliability of the system does not depend on the system‘s structure nor on the number of uncompromised system components, but instead it is decided by a nonempty subset of the components in a system that from the voting components. 19

20.  Hardekopf et al. proposed a decentralized voting algorithm that improves system dependability and protects the system from faults and hostile attacks. ([19])  Tong et al. showed how to choose optimal weight assignments for the majority voting strategy in the system and also proposed new effective vote assignment algorithms that aim to maximize the system reliability. ([20])  Davcev proposed a dynamic weighted voting scheme for consistency and recovery control of replicated files in distributed systems. ([21] ) 20

21.  Difference I : A voting scheme as outlined in [3] is employed, however, different from [3], we extend Random Troika to encompass, if needed, up to n components to form the voters.  Difference II : [19]-[21] considers the performance of the algorithm when the number of system component is fixed; while in this paper, the number of composing components can be changed under different resource allocation strategies, which may lead to a change in the voting strategy to achieve a higher reliability. 21

22.  Our earlier work focused on :  Using an information hiding approach to prevent the attackers from quickly identifying the location of critical components in the system. ([6])  Deciding optimal resource allocation for improving system reliability under random attack( [27], [28])  Determining a voting strategy for a set of clusters when they are under rational attacks.([29]) 22

23.  Difference I : The system models are different.  The system reliability depends on the reliability of a set of selected voting components and whether they are compromised or not, while in [27] and [28], the system reliability is the probability that all critical components survive the attacks, and [29] aims to maximize the overall reliability of a set of clusters rather than an individual system.  Difference II : The protection approaches are different.  The previous work either considers the voting mechanism or protection approaches (i.e., creating camouflaging components, or enhancing component protection, etc.), while the work presented in this paper considers a more comprehensive approach that integrates the voting mechanism with the protection approaches. 23

24. Introduction Related Work Assumptions and Problem Definition System Reliability under Given Defense and Attack Strategies Algorithms to Determine Defense Strategy Against Rational Attacks Simulation Results Conclusion 24

25.  The notations used in this paper : NotationImplication NsNs Number of system components NcNc Number of camouflaging components NpNp Number of protected components NvNv Number of voting components NaNa Number of attacked components Number of attacked voting components Number of compromised voting components Number of attacked protected voting components RdRd Total defense resources RaRa Total attack resources 25

26.  The notations used in this paper (cont.): NotationImplication rdrd Amount of defense resources on each protected component rara Amount of attack resources on each attacked component C Cost for creating a camouflaging component p Component’s reliability P System reliability M Reliability matrix Defense strategy selection vector Attack strategy selection vector SdSd Number of defense strategies SaSa Number of attack strategies 26

27.  Assumptions:  A system consists of N s diverse replicas, and the reliability of each replicated component is p.  We use N v to denote the number of voting components, where N v ≤ N s.  The system reliability P is defined as the probability that a correct result is obtained through a majority voting among voters. 27

28. 28

29.  Assume a system defender is given a fixed amount of defense resource, R d, which can be used to create camouflaging components or to enhance component cyber protection, and the cost for creating a camouflaging component is C, and N c camouflaging components are created, where N c × C ≤ R d.  The remaining defense resources (R d – N c × C) are evenly distributed to enhance the cyber protection of a subset of system components, called protected components N p, 0 ≤ N p ≤ N s. 29

30.  Hence, the resource r d used on each protected component is given by 30

31.  As the attacker cannot distinguish the differences between unprotected, protected, camouflaging, or voting components, the selection of components to attack is random.  Assume the total amount of resources that an attacker has is R a and they are evenly distributed to attack a subset of components N a (1 ≤ N a ≤ N s + N c ), the amount of resources allocated to each attacked component is : 31

32.  Based on Levitin et al. [8]–[11], the attack success probability on a single component can be modeled by a contest success function given in : where ra and rd are the amount of resources invested by attacker and defender, and Pa is the attack success probability  When the contest intensity indicator m = +∞, the attack success probability function (4) reduces to winner-takes-all, i.e., whoever invests more effort wins the game. 32

33.  We consider the defender assumes the worst-case scenario [30], i.e., the attacker knows the defender’s resource information and defense strategies.  An upper bound on attack resources (i.e., R a ) would be a combination of favorable-for-the-attacker values of the following: requisite attacker skill-level; time budget for the attack; and the computation and communication expenditures for an attack. 33

34.  In summary, we make the following assumptions regarding the defender and attacker’s knowledge : 1)Public information shared by the defender and the attacker: a)The amount of resources that the defender and the attacker have, i.e., the value of R d and R a. b)The cost for creating a camouflaging component, i.e., the value of C. c)The number of system components and camouflaging components, i.e., N s and N c d)The reliability of a system component without protection hardening, i.e., the value of p. 34

35. 2)Private information : a)The defender does not know which components are currently being attacked. b)The attacker cannot differentiate unprotected, protected, camouflaging, and voting components. c)The attacker does not know which components are voting components. If the number of voting components is no larger than the number of protected components, it is obvious, from the defender’s perspective, that the voting components should only be chosen from the protected set. 35

36.  Based on the above discussion, we formulate the problem of improving system reliability against rational attacks as follows: where P(N c,N p,N v,N a ) is the system reliability under the given values. 36

37. Introduction Related Work Assumptions and Problem Definition System Reliability under Given Defense and Attack Strategies Algorithms to Determine Defense Strategy Against Rational Attacks Simulation Results Conclusion 37

38.  Assume the defender has made the decisions on the value of :  N c  N p (0 ≤ N p ≤ N s )  N v (1 ≤ N v ≤ N s )  The attacker has made his/her decision on the value of :  N a (1 ≤ N a ≤ N s +N c ) 38

39.  We only need to consider the attacks that target the voting components.  Assume out of N a attacked components are voting components, the range of is :  The probability, δ (, N a ), that the attacker targets exactly N v a voting components is : 39

40.  In order to obtain the system reliability, we need to know the number of compromised voting components ( ) in a voting process : 40

41.  The probability that a correct result is obtained through a majority voting when components are compromised is : 41

42.  According to the system model :  If N v ≤ N p  =  However, if N v > N p  the range of is :  The probability that out of attacked voting components are protected components is given by : 42

43.  The system reliability is : P(N c,N p,N v,N a ) = where lb = N a − N s − N c + N v, and 43

44.  An Example(Example3) :  Create N c = 3 camouflaging components  Allocate the remaining resource to protect N p = 3 components  Choose these 3 protected components as voters, that is N v = 3  Attacker randomly selects N a =4 components to attack  The amount of attack resource on each attacked component is r a = R a /N a = 18/4 =4.5  The amount of defense resource on each protected component is r d =(R d -N c *C)/N p =(18-3*2)/3=4 44

45.  Based on the information and (6), the number of the attacked voting components ranges from 0 to 3.  The probability that the attacker attacks exactly voting components is : 45

46.  In addition, as r a > r d, from (8), we know =  The probability that a correct result is obtained when components are compromised is :  Therefore, based on (12), the system reliability is : P(3,3,3,4) 46

47. Introduction Related Work Assumptions and Problem Definition System Reliability under Given Defense and Attack Strategies Algorithms to Determine Defense Strategy Against Rational Attacks Simulation Results Conclusion 47

48.  For a fixed number of camouflaging components N c (0 ≤ N c ≤ R d /C), a defender can vary the value of N p and N v.  As :  N p ranges from 0 to N s  N v ranges from 1 to N s  Therefore, the total number of strategies the defender can choose is S d = (N s + 1)N s. 48

49.  For a given N c, the i th (1 ≤ i ≤ S d ) defense strategy corresponds to when N p = (i − 1)/N s and N v = i − N s × + N s.  For the attacker :  the number of attacked components ranges from 1 to (N s + N c )  the total number of possible attack strategies is S a = N s + N c  the j th (1 ≤ j ≤ S a ) attack strategy is N a = j  When both the defense strategy (N c,N p,N v ) and the attack strategy (N a ) are determined, the system reliability can be calculated by using (12). 49

50.  We define a matrix M = (r i,j ) S d ×S a to record the system reliability under each possible defense and attack strategy, where r i,j refers to the system reliability when the defender chooses the i th defense strategy and the attacker chooses the j th attack strategy.  In other words, 50

51.  Clearly, for each defense strategy, depending on which attack strategy is taken by an attacker, the system reliability can vary.  We introduce two vectors: = [x 1,..., x Sd ] T = [y 1,..., y Sa ] T where x i ∈ {0, 1} and y j ∈ {0, 1}  Since a defender and an attacker can choose only one strategy at a time, we have : 51

52.  Based on the defense strategy selection vector and the attack strategy selection vector, the system reliability is :  The objective of the defender is to maximize the system reliability under the worst-case scenario. In other words, the defender’s objective is to maximize P min : 52

53. 53

54.  Example 4 :  Assume:  a system consists of N s = 5 functional components  the reliability of the components is p = 0.95  the defender resource R d = 35 units  the attacker resource R a = 20 units  the cost for creating a camouflaging component is C = 3 units of resources  the defender creates two camouflaging components, i.e., N c = 2. 54

55.  The total number of defense strategies is S d = (N s +1)N s = 6×5 = 30  The total number of attack strategies is S a = N s + N c = 7  Matrix M = (r i,j ) 30×7 stores the system reliability under each possible defense and attack strategy, where r i,j =  Based on the given values, i.e., N s, R a, p, R d, N c, and C and follow Algorithm 1 :  x 18 = 1  P maxmin = 0.9541  N p =  N V =  P = 0.9541 55

56.  Now, we relax the constraint and let N c vary from 0 to : 56

57.  Example 5 :  the maximum number of camouflaging components that can be created is  under each resource allocation of camouflaging component creation, the system’s maximal reliability and the corresponding number of protected and voting components are: 57

58. Introduction Related Work Assumptions and Problem Definition System Reliability under Given Defense and Attack Strategies Algorithms to Determine Defense Strategy Against Rational Attacks Simulation Results Conclusion 58

59.  We study how the defense resources impact the defender’s strategy :  a system consists of 7 replicas(N s )  the reliability of each replicated component(p) is 0.95  attack resources(R a ) is 40 units  the cost for creating a camouflaging component(C) is 3 units  The amount of defense resources(R d )is increased from 10 to 110 units 59

60.  It is worth mentioning that there is no particular preference when deciding the amount of attack resources.  We set the amount of attack resources to 40 units and the range of defense resources from 10 to 110 units so that we are able to see how the defense strategy changes under different cases, i.e., the amount of defense resources is less than, equal to, and greater than the amount of attack resources. 60

61. 61

62.  From Fig. 3, we observe the following : 1)When the amount of defense resources is small, the defender should allocate resources to protect a small set of functional components (Line L2 in Fig. 3) and choose these protected components to vote (Line L3 in Fig. 3). 2)As the amount of defense resources increases, the defender should protect more components (Line L2 in Fig. 3) and choose these as voting components as well (Line L3 in Fig. 3). 62

63.  From Fig. 3, we observe the following(cont.) : 3)All protected components should participate in the voting (Lines L2 and L3 in Fig. 3). 4)The unreliability of the system decreases, i.e., the system’s reliability increases, as the amount of defense resources increases. (Line L4 in Fig. 3). 5)When the amount of defense resources increases, the defender should create more camouflaging components (Line L1 in Fig. 3). 63

64.  In this experiment, the system reliability is evaluated under the worst-case scenario.  Therefore, when the attacker randomly selects his/her strategy, i.e., the attack strategies have uniform probability, the system’s expected reliability will be greater than or equal to the maximized minimum reliability. 64

65. 65

66.  We analyze the effect of the amount of attack resources on defender’s strategies and system reliability :  R d =40  C=3  p=0.95  N s =7  The amount of attack resources(R a ) increases from 10 to 110 units. 66

67. 67

68.  When the amount of attack resources is small, i.e., Ra = 10, all of the system components are protected and chosen to vote (Line L2 and L3 in Fig. 5).  However, when the amount of attack resources increases, i.e., Ra = 30, there is only one component being protected in the hopes that the voting component survives the attack (Line L2 and L3 in Fig. 5). 68

69.  In addition, we can see that when the amount of attack resources increases, the system reliability decreases (Line L4 in Fig. 5).  When the amount of attack resources increases from 50 units to 110 units, the number of camouflaging components changes drastically (Line L1 in Fig. 5). 69

70. 70

71.  We compare the system reliability when the number of voting components is fixed versus when it is optimally decided by the algorithm :  R a = 40  C = 3  p = 0.95  Ns = 7  The value of N v is set to constant 1, 3, 5, and 7, or chosen by the Algorithm 2, respectively. 71

72. 72

73. Introduction Related Work Assumptions and Problem Definition System Reliability under Given Defense and Attack Strategies Algorithms to Determine Defense Strategy Against Rational Attacks Simulation Results Conclusion 73

74.  Redundancy and voting schemes are often used to tolerate natural-caused component failures.  When a system is under intentional cyber attacks, the system reliability is not necessarily proportional to the number of redundancies of voting components.  This paper analyzed system reliability when both a defender and an attacker were given a fixed amount of resources and studied how their resource allocation strategies impacted system reliability. 74

75.  Develop an algorithm for system defenders to optimally allocate their resources and decide the number of voting components so that the system reliability was maximized even under the scenario that was most favorable to attackers.  When a defender had sparse resources compared to what the attacker had, the defender should invest the resources into protecting a fewer number of components and select only the protected components for voting.  If the resources were abundant, the defender should increase the number of protected components and allow more components to vote. 75

76.  We only considered that components can be compromised while the communication channel for the voting protocol is reliable.  In reality, communication channels played an important role when it comes to the system reliability, often times they are the target of attacks.  When network reliability was taken into consideration, less communication in reaching a consensus could imply higher reliability of the consensus; on the other hand, fewer voting participants (less communication) could result in lower reliability. 76

77. 77